Monday, May 22, 2017

One Conference - NLCyber Haiku

I attended the One Conference in The Hague recently, and seeing my European peers talking cybersecurity and Vermer's art inspired me.

The Girl With the Perl Earring

What does she look at,
The Girl with the Perl Earring?
Your code needs review.

Beneath her turban,
Her mind races through the vulns.
She sees the exploits.

Just out of the frame,
Her lithe fingers are dancing.
She's pwning your site.

Thursday, April 27, 2017

SOURCE Boston - Stop Asking?

I've had a great time attending this year's SOURCE Boston conference. Today's panel discussion on ransomware inspired this sad song.

Stop Asking?

Files arrive with a smile,
   a wink,
   and a nod.
Or they trickle down,
   the drips from a leaky ceiling,
   bad news arriving, staining,
      and costing.

You need to click.
   They demand your attention.
      (So shiny!)
   They promise you others' secrets.
      (While demanding all yours.)
   They warn you of impending doom.
      (Not far from the truth.)

You have to click.
   and the smiles drop,
     the ceiling crashes down,
   and you are left to wade
      through unfriendly faces
      offering you a life jacket
         for a price.

"But what if
   those smiles had been genuine
   and there really was
   a hole that needed patching?"
      (How could you know?)

The next file arrives
   and while holding a mop,
   you ask again.

Tuesday, June 14, 2016

FIRST 2016 - Innovation

Today's keynote at the FIRST conference discussed the importance of innovation in security products and services. Not everyone is a fan of such things.


Innovation, you say?
It's easy to say.
Harder to do when you're spending your day
Fighting the fires and calling out liars
And answering calls from your C-level criers.
We barely have time to kick all the tires
On products we buy
Whenever we try
To solve all our problems
When the budget is high.
(Sometime we barely can even ask why.)
Often we're choosin'
Tools that are proven
By peers who have shown
That they're really worth usin'
And are ones that risk management ain't refusing.
We'd like something new,
Innovation that's true,
But it's rare that it's something we'd purposely do.
Radical changes we often eschew.
Innovation is something, I guess, that we fear.
It's something, I'd say, you'll never find here.

Monday, June 13, 2016

FIRST 2016 - Tabletop Exercises

Performing tabletop exercises to practice and learn more about incident response processes of an organization and to improve those processes is an excellent thing to do. Kenneth van Wyk gave an excellent presentation on how to run tabletop exercises.


Fledgling stretches wings
Learning how to make them work.
SOC testing new tools.

A confident hawk
Dives to catch its fleeing prey.
The IDS fires.

Unseen in the trees,
Trappers wait with heavy nets.
A tabletop drill.

How will the hawk eat
When it's wings and beak are bound?
Prepare for the worst.

Hawk learning to hunt
While tied to the rocky ground.
SOC will be ready.

No matter the wind,
The rain, or the predators.
Business must go on.

FIRST 2016 - The Vulnerability Lifecycle

CERT/CC presented a workshop on coordinating vulnerability disclosure. Understanding the vulnerability life cycle helps when developing a corporate vulnerability management process.

Vulnerabilities live, those wee nasty things.
And all through their lives, oh, the mess that they bring!
First they're discovered through various methods,
Researchers probing and using their big heads
Or accidents happening by users at play
That leave them amazed or completely dismayed.
Once it's discovered, it's time for disclosure,
Which may cause a vendor to lose their composure.
This process requires so much c'ordination
Which reduces the impact and bad situations.
Before things are published, we look for a fix:
Remediation through patches or similar tricks.
Deploy out the changes and work toward removal
Of bugs or the process that earned disapproval.
Not much of a life! Vulns are no fun.
Though they seem to be smiling as they yell and they run

Sunday, June 12, 2016

FIRST Conference 2016

Many of my InfoSec peers have come to Seoul to attend the 28th Annual FIRST Conference. It should be a fun, busy, and illuminating time! It is my first big conference since leaving my higher ed crew. I hope these folks will party as hard.


Welcome to FIRST!
It's time to get funky.
We've all got some problems
On our backs like a monkey.

Criminals trying to get all our goods.
(Some of them organized, some are just hoods.)
How do we share the intelligence gathered?
What are the details we found really mattered?
What are the tools that we all kinda need?
Who can we turn to when we start to bleed.
Red teams and training and policy work,
Pressos that aim to eat through the murk.

Let us get started. Just dive in and go.
Listen and share, help community grow!

Thursday, March 10, 2016

Boston Security Camp - Afternoon Session

From the afternoon session of the BC Security Camp.


REN-ISAC watches,
Threat sharing flows through their hands,
Tall trees grow stronger.

APT Experiences

Even an oyster,
Old, rotten, may have a pearl.
Must open a phish.

VirusTotal shrugs
At the malware file we found.
Wolves howl outside.

IOCs popping.
The APT evolving.
Wounded lamb crying.

Creating a Good Business Relationship Between IT and Treasury for PCI compliance

One good data breach.
Storm water breaks through a dam.
Beavers must rebuild.

Follow the money.
Stars pointing to Treasury:
A PCI map.

Sharing the burden,
Huddling against the winds
Of attestation.

Database Security

The harsh thunder booms
When audit arrives, seeking
Your database logs.

A giant mountain,
Oracle databases.
Their logs are lava.

Information flows
Meta information grows.
DBA hair grays.

Boston College Security Camp - Morning Haiku

I have the privilege of attending this year's Security Camp hosted by Boston College. This morning's presentations inspired some haiku.

Security Camp.
Talks around the camp fire.
Ghost stories, epics.

Moving to the Cloud - Resistance is Futile

Somewhere in the Cloud,
Raindrops form from falling ice.
Your data in tears.

Backups in the Cloud
Backing up backed up data.
Clouds, rain, ocean, clouds.

Acquiring clouds
And claiming them to be yours.
A game for sad fools.

Information Stewardship Governance Program 

Stewarding data,
Each piece led across the Styx
Or to calm prairies.

Understand your data:
A wolf knows all paths traveled
By each pup and prey.

Acorns stored by squirrels
Remain hidden all winter.
Come spring, they grow large.

Software Identification Tags

What should be patched when
Vulnerabilities drop?
Ask the wind and hope.

Browsing undergrowth,
Doe wishes she knew what's there,
Eating, not searching.

XML flowing,
Tagging the world that it knows.
Each leaf on each branch.

Wednesday, January 6, 2016

CVE Haiku

CVE is a useful bit of infrastructure under the US IT sector's vulnerability management machine. However humble, it is still inspirational.

CVE Haiku

CVE counting.
How many motes of pollen
Drifting o'er a field.

A home for problems:
The tree becomes much greater
When we name the leaves.

No one can tell you
What's vulnerability.
Is each fear unique?

Monday, October 5, 2015

Live Data In Dev, Live Data in Test

One of the more recent examples of poor development policies was the compromise of Patreon's test environment, in which they used live data, apparently. This is a bad practice for many reasons, but it's a practice that still happens often.

Live Data In Dev, Live Data In Test

I had a cool dream to build a cool site.
I coded it hard, with all my might.
When I decided twas time for a test,
I wanted the data I knew that was best.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

I sent out the link to my friends in QA.
Worried a bit about what they may say.
But bringing in Infosec wasn't a thought:
Only later they found what a mess I had wrought.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

My friends in QA were happy, they said.
I migrated to live sans feelings of dread.
My dev and test servers? I'd keep them around
In case there were unforeseen bugs that were found.

One of those bugs was the QA account:
Password of "QA" and a live data mount,
Still active within my development host,
Discovered by hackers and shared on a post.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

All of that data has flown all away!
The old morning papers have so much to say.
Pastebin and reddit have made many copies
Someone has even wrote it to floppies.

Infosec's asking me what I was thinking.
Using live data; had I been drinking?
"No," I explained, "I was doing my job,
Though not any more," it dawned with a sob.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.